{ "Event": { "analysis": "1", "date": "2026-03-31", "extends_uuid": "", "info": "[Threat Intel] WhatsApp malware campaign delivers VBScript and MSI backdoors", "protected": false, "publish_timestamp": "1775907169", "published": true, "threat_level_id": "3", "timestamp": "1775907168", "uuid": "3bd22168-7512-4a16-a4a4-c5627d6e8782", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#96f4f6", "local": false, "name": "misp-galaxy:producer=\"Microsoft\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#d74cce", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Bypass User Account Control - T1548.002\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#5c57c8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Service - T1543.003\"", "relationship_type": "" }, { "colour": "#b672a4", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task/Job - T1053\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#bf01b7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#59699c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"", "relationship_type": "" }, { "colour": "#0bacad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Rename Legitimate Utilities - T1036.003\"", "relationship_type": "" }, { "colour": "#98f3da", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Visual Basic - T1059.005\"", "relationship_type": "" }, { "colour": "#e1e63b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1574.002\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:online-service=\"01031d3f-c9c9-4288-bb58-234c38e4246e\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775012429", "to_ids": false, "type": "link", "uuid": "ec8076d8-9e59-4ff9-bfe2-4f7503a9466c", "value": "https://www.microsoft.com/en-us/security/blog/2026/03/31/whatsapp-malware-campaign-delivers-vbs-payloads-msi-backdoors/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1775012429", "to_ids": false, "type": "text", "uuid": "db462a15-cf73-4c3f-bc60-64b3fa568a31", "value": "A sophisticated malware campaign targeting WhatsApp users has been observed since February 2026. The attack chain begins with malicious Visual Basic Script files sent via WhatsApp messages, which, when executed, initiate a multi-stage infection process. The malware uses renamed Windows utilities, retrieves payloads from trusted cloud services, and installs malicious MSI packages. The campaign employs social engineering, stealth techniques, and cloud-based payload hosting to establish persistence and escalate privileges on victim systems. The attackers utilize legitimate tools and trusted platforms to reduce visibility and increase the likelihood of successful execution. The final stage involves the delivery of unsigned MSI installers that enable remote access to compromised systems." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1775012429", "to_ids": false, "type": "text", "uuid": "b1fda92e-5363-400d-9dc4-415f9c9f89fa", "value": "Name: WhatsApp malware campaign delivers VBScript and MSI backdoors\nAuthor: AlienVault\nAdversary: \nTags: [\"cloud-based\", \"social-engineering\", \"uac-bypass\", \"remote-access\", \"whatsapp\", \"multi-stage\", \"vbs\", \"msi\"]\nTgtd countries: []\nMlwr families: []\nAttack_ids: [\"T1548.002\", \"T1204.002\", \"T1543.003\", \"T1053\", \"T1055\", \"T1112\", \"T1566\", \"T1078\", \"T1036.003\", \"T1059.005\", \"T1574.002\", \"T1105\"]\nIndustries: []" }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:11/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775902664", "to_ids": true, "type": "sha256", "uuid": "d8bb3b91-a6c9-4999-b70b-3d93944b8b82", "value": "1f726b67223067f6cdc9ff5f14f32c3853e7472cebe954a53134a7bae91329f0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:11/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775902665", "to_ids": true, "type": "sha256", "uuid": "4852b5b7-3012-43ca-8e52-f0de86e71054", "value": "22b82421363026940a565d4ffbb7ce4e7798cdc5f53dda9d3229eb8ef3e0289a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:11/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775902665", "to_ids": true, "type": "sha256", "uuid": "08cb0758-c5c7-453a-b769-ba148ed2e32a", "value": "5eaaf281883f01fb2062c5c102e8ff037db7111ba9585b27b3d285f416794548", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:11/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775902666", "to_ids": true, "type": "sha256", "uuid": "40459218-5554-4848-b70d-ac214e8dfe6a", "value": "613ebc1e89409c909b2ff6ae21635bdfea6d4e118d67216f2c570ba537b216bd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:11/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775902666", "to_ids": true, "type": "sha256", "uuid": "c3f76aee-1207-408a-9b96-aa69cca0cb2e", "value": "630dfd5ab55b9f897b54c289941303eb9b0e07f58ca5e925a0fa40f12e752653", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:11/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775902667", "to_ids": true, "type": "sha256", "uuid": "5638e1e8-a110-463b-9925-2d6b44ea9b78", "value": "a773bf0d400986f9bcd001c84f2e1a0b614c14d9088f3ba23ddc0c75539dc9e0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:11/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775902668", "to_ids": true, "type": "sha256", "uuid": "2e41a4cb-d986-4288-9c3c-39f4c1851c71", "value": "dc3b2db1608239387a36f6e19bba6816a39c93b6aa7329340343a2ab42ccd32d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:11/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775902669", "to_ids": true, "type": "sha256", "uuid": "c5952cce-57a0-46a3-921b-317f2470f1a2", "value": "df0136f1d64e61082e247ddb29585d709ac87e06136f848a5c5c84aa23e664a0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Amazon S3 Bucket", "deleted": false, "disable_correlation": false, "timestamp": "1775906692", "to_ids": true, "type": "url", "uuid": "f2980ca5-76b8-4991-babf-1831a9547ec5", "value": "https://bafauac.s3.ap-southeast-1.amazonaws.com", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Amazon S3 Bucket", "deleted": false, "disable_correlation": false, "timestamp": "1775906714", "to_ids": true, "type": "url", "uuid": "791f21af-2776-4497-a4d1-cb78fd66693c", "value": "https://yifubafu.s3.ap-southeast-1.amazonaws.com", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Amazon S3 Bucket", "deleted": false, "disable_correlation": false, "timestamp": "1775906735", "to_ids": true, "type": "url", "uuid": "ab93cdfc-6d60-4a0e-996e-7b9768fdb252", "value": "https://9ding.s3.ap-southeast-1.amazonaws.com", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Backblaze\u202fB2 Cloud Storage", "deleted": false, "disable_correlation": false, "timestamp": "1775906756", "to_ids": true, "type": "url", "uuid": "7b495597-c4d2-468e-95cc-d87cd8ec6112", "value": "https://f005.backblazeb2.com/file/bsbbmks", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Tencent Cloud storage\u202f Command and control (C2) infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1775906777", "to_ids": true, "type": "url", "uuid": "563b1732-cb99-42b0-a00d-cb9e63bd2aca", "value": "https://sinjiabo-1398259625.cos.ap-singapore.myqcloud.com", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Command and control domain", "deleted": false, "disable_correlation": false, "timestamp": "1775906798", "to_ids": true, "type": "domain", "uuid": "ec508a32-1aad-438b-a314-0d64a2be9ab2", "value": "neescil.top", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Command and control domain", "deleted": false, "disable_correlation": false, "timestamp": "1775906819", "to_ids": true, "type": "domain", "uuid": "0bcf6113-dfc4-4565-8d2d-d8b1282c4a68", "value": "velthora.top", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775906840", "uuid": "d7b7a054-1c08-4714-aa03-ab2eeb53404e", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775906840", "to_ids": true, "type": "md5", "uuid": "5ce586a7-d83c-4806-8aab-60c3d3ba9b78", "value": "1304f43c5fddcf664ba0f068a5a7bc18", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775902656", "to_ids": true, "type": "sha1", "uuid": "c2abca73-b341-413e-b7de-d4dcccaf9335", "value": "c8e5795f32b3c9d94b8aa3811fe3f61725fa5869", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775902656", "to_ids": true, "type": "sha256", "uuid": "0c2af5f8-52e0-455d-8dd3-cf862ae11ef8", "value": "1735fcb8989c99bc8b9741f2a7dbf9ab42b7855e8e9a395c21f11450c35ebb0c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775902063", "to_ids": true, "type": "ssdeep", "uuid": "3efb5d2c-dfa2-4f31-8ef2-47967eece168", "value": "96:LAr+AJUF6efCEeCjH6Av0/Zo/oG/aFZqghyEXl:LAr2F60ds/Zo/3/apz" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775902063", "to_ids": false, "type": "size-in-bytes", "uuid": "8892e230-3a23-41ea-b62d-ab9f0804fc66", "value": "6348" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775902063", "to_ids": true, "type": "vhash", "uuid": "f5126182-23b3-46ce-a2ef-681ed1dfe804", "value": "613c08645cececae3a8d8a81ee90ebff" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775902063", "to_ids": true, "type": "filename", "uuid": "ba74770f-5439-49ec-bfd5-21b34c1e461e", "value": "WindowsUpdate_KB5034231_Deploy.vbs" }, { "category": "Other", "comment": "Checked: 11/04/2026\nLast-scan\t: 10/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775902063", "to_ids": false, "type": "text", "uuid": "150c53c1-d039-4965-8bfc-64b50be7d217", "value": "Type Description: VBA\nMicrosoft: TrojanDownloader:VBS/Periculant.C\nVT Total Detection:22/62\nFirst Submission:2026-03-03T08:25:17.000000+00:00\nLast Submission:2026-03-03T08:25:17.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775906861", "uuid": "9eafe54d-b186-4b29-beea-31040c078357", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775906861", "to_ids": true, "type": "md5", "uuid": "ecfac8ea-b709-4461-bbd3-220af02068df", "value": "2d9ef700fb9ce1550ca73f50428fef87", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775902657", "to_ids": true, "type": "sha1", "uuid": "1ca96c5a-6214-4d6d-b5e2-5f7e5872ec40", "value": "1fb0cb93de16671e3d4123438147549b47d10fdc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775902657", "to_ids": true, "type": "sha256", "uuid": "82ccc7ec-f448-4049-abe7-a5d50bc2ee8b", "value": "a2b9e0887751c3d775adc547f6c76fea3b4a554793059c00082c1c38956badc8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775902084", "to_ids": true, "type": "ssdeep", "uuid": "629f8ddd-78ad-42ab-ab84-4f9e2d1cfc9d", "value": "3145728:58pO043khggzSnpofsINZN2pmZd9i51/rB3bRuK03mpjvX6M:58pO7MggenpU20Ev13NLJjiM" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775902084", "to_ids": false, "type": "size-in-bytes", "uuid": "56456d18-9477-4bbd-9703-03d3ec0fde42", "value": "151375872" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775902084", "to_ids": true, "type": "vhash", "uuid": "18579f62-1219-43d6-b392-3c39041e3c14", "value": "2927e68f82fa039a6332d13425cc33c3" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775902084", "to_ids": true, "type": "filename", "uuid": "8e8f4cdc-9a51-4774-bbef-8f1bf741cb44", "value": "setup.msi" }, { "category": "Other", "comment": "Checked: 11/04/2026\nLast-scan\t: 11/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775902084", "to_ids": false, "type": "text", "uuid": "eac365d6-2163-4e64-841d-e27277969591", "value": "Type Descriptio%WINDIR%\\Installer\nMicrosoft: Trojan:Win32/GhostRat!MTB\nVT Total Detection:20/62\nFirst Submission:2026-02-27T11:23:09.000000+00:00\nLast Submission:2026-03-03T17:59:28.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775906883", "uuid": "05bc63a6-a537-49e9-988a-6ba352b32dc1", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775906883", "to_ids": true, "type": "md5", "uuid": "02bff5bd-34ce-4019-9596-3e8e0438dd9e", "value": "3466746d84501cb07a9833057e835565", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775902657", "to_ids": true, "type": "sha1", "uuid": "e7ffc1f4-505a-4abf-b6e6-93b34d17ba67", "value": "68e6071ec9210bce297d30c209ddf4026fd5a4f1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775902658", "to_ids": true, "type": "sha256", "uuid": "6535aa26-fa0d-446a-8b6e-eb2ab9f8817a", "value": "57bf1c25b7a12d28174e871574d78b4724d575952c48ca094573c19bdcbb935f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775902106", "to_ids": true, "type": "ssdeep", "uuid": "c2780efe-57b4-4a2c-a420-36210e89b535", "value": "96:LAr+AJUv6kJCEeCjH6Av0/Zo/oG/aFZqghyEXl:LAr2v6Mds/Zo/3/apz" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775902106", "to_ids": false, "type": "size-in-bytes", "uuid": "0e99ac47-d873-477e-a5e9-e1bbc86a8590", "value": "6340" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775902106", "to_ids": true, "type": "vhash", "uuid": "0a5a6f10-22a6-476d-87c4-85449a7693d1", "value": "613c08645cececae3a8d8a81ee90ebff" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775902106", "to_ids": true, "type": "filename", "uuid": "eeb3df09-d338-46cb-b499-78580cbf860a", "value": "yifu.vbs" }, { "category": "Other", "comment": "Checked: 11/04/2026\nLast-scan\t: 11/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775902106", "to_ids": false, "type": "text", "uuid": "528cff0b-5106-4954-a9dc-853f43fc20ac", "value": "Type Description: VBA\nMicrosoft: TrojanDownloader:VBS/Periculant.C\nVT Total Detection:25/62\nFirst Submission:2026-03-02T13:55:55.000000+00:00\nLast Submission:2026-03-07T02:24:51.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775906904", "uuid": "2ea4f497-b4e6-4f6b-a384-27b7578fa3a4", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775906904", "to_ids": true, "type": "md5", "uuid": "3e58df13-4ecc-416d-a4f7-6b7457d75beb", "value": "788808eb187f389f040f657dc68be22b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775902658", "to_ids": true, "type": "sha1", "uuid": "d4079d56-d8db-4cd3-8b10-b1c1f85b639b", "value": "c24399140355d98b22aa33806fa161d24057adaf", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775902658", "to_ids": true, "type": "sha256", "uuid": "ad523b1b-9dcd-400e-9c62-259f126f35c0", "value": "07c6234b02017ffee2a1740c66e84d1ad2d37f214825169c30c50a0bc2904321", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775902128", "to_ids": true, "type": "ssdeep", "uuid": "8ee5b53e-3c1d-425e-96e2-8cc5facec2a5", "value": "96:LAr+AJUT6kJCEeCjH6Av0/Zo/oG/aFZqghyEXl:LAr2T6Mds/Zo/3/apz" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775902128", "to_ids": false, "type": "size-in-bytes", "uuid": "b7af6cf6-d330-4bb0-9878-891258c8c354", "value": "5894" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775902128", "to_ids": true, "type": "vhash", "uuid": "555d2510-3933-4fe5-88b0-1f2ef55553c1", "value": "613c08645cececae3a8d8a81ee90ebff" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775902128", "to_ids": true, "type": "filename", "uuid": "a50ea2e7-98e6-437f-804d-cbb65de0c433", "value": "2009.vbs" }, { "category": "Other", "comment": "Checked: 11/04/2026\nLast-scan\t: 09/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775902128", "to_ids": false, "type": "text", "uuid": "bd195f9d-6a60-4f15-9f52-8ed454edbbf7", "value": "Type Description: VBA\nMicrosoft: TrojanDownloader:VBS/Periculant.C\nVT Total Detection:24/62\nFirst Submission:2026-02-28T10:44:35.000000+00:00\nLast Submission:2026-02-28T10:44:35.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775906925", "uuid": "0d7715b1-31e6-4a3a-8f21-0f2cd40e67a1", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775906925", "to_ids": true, "type": "md5", "uuid": "e55829ef-c9d9-4009-aad7-abd7411201fb", "value": "ccdec658c763815084962a66ce09c10b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775902659", "to_ids": true, "type": "sha1", "uuid": "e224d86e-f040-41bf-a471-7280927e6189", "value": "968b6a9551532dc5c95867250e23f19d6edc207b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775902659", "to_ids": true, "type": "sha256", "uuid": "248ed202-7c89-47f7-ac82-17c9c5b8dfe9", "value": "15a730d22f25f87a081bb2723393e6695d2aab38c0eafe9d7058e36f4f589220", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775902149", "to_ids": true, "type": "ssdeep", "uuid": "2a6a2913-cb67-4682-99f9-76ba8bdf36c4", "value": "3145728:38pO043khggzSnpofsINZN2pmZd9i51/rB3bRuK03mpjvX6M:38pO7MggenpU20Ev13NLJjiM" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775902149", "to_ids": false, "type": "size-in-bytes", "uuid": "27c11e61-ff03-4c44-9a35-ba0bbd3fbb5c", "value": "151375872" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775902149", "to_ids": true, "type": "vhash", "uuid": "9421015a-ff0c-4f43-9af3-68aa84c275b8", "value": "2927e68f82fa039a6332d13425cc33c3" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775902149", "to_ids": true, "type": "filename", "uuid": "839a54d2-04c4-48ca-adcf-21ac777ac7fb", "value": "LinkPoint.msi" }, { "category": "Other", "comment": "Checked: 11/04/2026\nLast-scan\t: 11/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775902149", "to_ids": false, "type": "text", "uuid": "79669c2c-e952-44ab-b56b-76d53d6053c4", "value": "Type Descriptio%WINDIR%\\Installer\nMicrosoft: None\nVT Total Detection:12/63\nFirst Submission:2026-03-11T01:33:07.000000+00:00\nLast Submission:2026-03-11T11:31:17.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775906946", "uuid": "419f47d6-4006-4d54-a405-fec7e943e06a", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775906946", "to_ids": true, "type": "md5", "uuid": "d0994586-26cb-4b4e-99ec-290fcd26aac1", "value": "36493fa829413fd4f042e45a0eea640c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775902660", "to_ids": true, "type": "sha1", "uuid": "6102001e-8934-4c28-8289-bff48aedbe21", "value": "778be1e5b4fae352e222a3d32d0155562bf18d43", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775902660", "to_ids": true, "type": "sha256", "uuid": "dcabd7b6-be44-467f-9447-0868288359e8", "value": "5cd4280b7b5a655b611702b574b0b48cd46d7729c9bbdfa907ca0afa55971662", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775902213", "to_ids": true, "type": "ssdeep", "uuid": "d7b13f63-ac56-4181-8a88-88f2870bb749", "value": "48:M5JzjTI/RRq4+ANFuT2MKSg+Cngzbsqbw6D7cQ+P7cQ+jCb2ZShfwQThG5LV:M5JfTIrq4+ANFuT2Jgz4qbw6DYQgYQ69" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775902213", "to_ids": false, "type": "size-in-bytes", "uuid": "2907932c-a194-4bb0-8a5a-cf2a33bd1093", "value": "2979" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775902213", "to_ids": true, "type": "vhash", "uuid": "cefd3e52-2232-4384-a55e-fd3bc70cb5cb", "value": "ca234282e0d3ece81e08d55cbf18a26e" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775902213", "to_ids": true, "type": "filename", "uuid": "723eda2d-dee3-494f-819e-7339e62f880f", "value": "WinUpdate_KB5034231.txt" }, { "category": "Other", "comment": "Checked: 11/04/2026\nLast-scan\t: 11/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775902213", "to_ids": false, "type": "text", "uuid": "ee40ae58-80bb-4bc0-b7e0-5beaad35090b", "value": "Type Description: VBA\nMicrosoft: Trojan:VBS/Malgent!MSR\nVT Total Detection:5/62\nFirst Submission:2026-03-05T08:40:01.000000+00:00\nLast Submission:2026-03-05T08:40:01.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775906967", "uuid": "4e958d5f-171a-495a-940c-d21e0368e480", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775906967", "to_ids": true, "type": "md5", "uuid": "392c7563-96a9-4c52-a9cf-0ba4ca5478fe", "value": "0607ee50ce94a64be22b42e037cb7c65", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775902661", "to_ids": true, "type": "sha1", "uuid": "47dd434e-e50d-4e7c-9329-b6593923b25d", "value": "459a2d8c45497691f12e487fa3d7058e8413499c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775902661", "to_ids": true, "type": "sha256", "uuid": "2d7bb2e8-c7fb-4525-92fa-edc1fddce342", "value": "91ec2ede66c7b4e6d4c8a25ffad4670d5fd7ff1a2d266528548950df2a8a927a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775902298", "to_ids": true, "type": "ssdeep", "uuid": "bc3d0bc7-5bc4-4c89-bbda-f2f005704472", "value": "24:7A+kqeKR+V1w2gzt09NysD9NysoLcFO4V1dby3:7AG+7g+9BD9B5O483" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775902299", "to_ids": false, "type": "size-in-bytes", "uuid": "81240557-9d5f-4f7c-87fc-f584b8f9a25c", "value": "933" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775902299", "to_ids": true, "type": "vhash", "uuid": "e9498448-dfcd-4c76-a97c-f5f539ebebc3", "value": "7be12492291c1fe9199ec32b72e84ba7" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775902299", "to_ids": true, "type": "filename", "uuid": "6ef819f1-2cf2-4122-944a-37d4a9e484a1", "value": "auxs.vbs" }, { "category": "Other", "comment": "Checked: 11/04/2026\nLast-scan\t: 09/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775902299", "to_ids": false, "type": "text", "uuid": "5b896041-9cfa-491a-acc9-cab67f356eb4", "value": "Type Description: VBA\nMicrosoft: Trojan:VBS/BypassUAC.PAA!MTB\nVT Total Detection:21/62\nFirst Submission:2026-01-18T10:26:06.000000+00:00\nLast Submission:2026-03-07T02:24:06.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775906989", "uuid": "86f7628f-56e6-4961-a4ef-aa32b733fc11", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775906989", "to_ids": true, "type": "md5", "uuid": "bbba4d3f-8bc9-4611-86f7-00856bc0ecbe", "value": "8175c10bccd2454cd66b70445e3cca9f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775902663", "to_ids": true, "type": "sha1", "uuid": "ee4acb49-1bd9-4cbb-b610-5c0c1303f8fa", "value": "b778629b9cdd1f28b9e7610d3936bf1ec457c999", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775902663", "to_ids": true, "type": "sha256", "uuid": "830bf61d-5123-4d79-98ad-f417117e5526", "value": "c9e3fdd90e1661c9f90735dc14679f85985df4a7d0933c53ac3c46ec170fdcfd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775902341", "to_ids": true, "type": "ssdeep", "uuid": "0ae8260b-8cba-42a0-b15f-a0176a286a34", "value": "96:LAr+AJUTV0tWCEeCjH6Av0/Zo/oG/aFZqghyEXl:LAr2TV+Wds/Zo/3/apz" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775902341", "to_ids": false, "type": "size-in-bytes", "uuid": "827e3565-51fb-4daa-a37f-ecf67049ef42", "value": "6062" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775902341", "to_ids": true, "type": "vhash", "uuid": "a70fdb8a-bc27-4ecd-a608-ac6a8c428333", "value": "613c08645cececae3a8d8a81ee90ebff" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775902341", "to_ids": true, "type": "filename", "uuid": "3bbebd92-194f-4764-a14a-1d226833c25d", "value": "MS_Securit_Patch_Service.png" }, { "category": "Other", "comment": "Checked: 11/04/2026\nLast-scan\t: 07/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775902341", "to_ids": false, "type": "text", "uuid": "68e476f2-808b-4c56-aaa2-f64013cb2c9f", "value": "Type Description: VBA\nMicrosoft: TrojanDownloader:VBS/Periculant.C\nVT Total Detection:18/62\nFirst Submission:2026-04-01T01:06:33.000000+00:00\nLast Submission:2026-04-01T01:06:33.000000+00:00" } ] } ] } }